Baron Samedit CVE-2021-3156

Try in Splunk Security Cloud

Description

Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• Last Updated: 2021-01-27
• Author: Shannon Davis, Splunk
• ID: 817b0dfc-23ba-4bcc-96cc-2cb77e428fbe

Narrative

A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing “" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.

Detections

Name	Technique	Type
Detect Baron Samedit CVE-2021-3156	Exploitation for Privilege Escalation	TTP
Detect Baron Samedit CVE-2021-3156 Segfault	Exploitation for Privilege Escalation	TTP
Detect Baron Samedit CVE-2021-3156 via OSQuery	Exploitation for Privilege Escalation	TTP

Reference

• https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

source | version: 1